New identity security posture assessments: Unsecure SID-History attributes and Microsoft LAPS Usage

%3CLINGO-SUB%20id%3D%22lingo-sub-1415886%22%20slang%3D%22en-US%22%3ENew%20identity%20security%20posture%20assessments%3A%20Unsecure%20SID-History%20attributes%20and%20Microsoft%20LAPS%20Usage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415886%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20happy%20to%20announce%20two%20new%20Azure%20ATP%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-isp-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eidentity%20security%20posture%26nbsp%3Bassessments%3C%2FA%3E%20for%20unsecure%20SID-History%20attributes%20and%20Microsoft%20LAPS%20usage.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20is%20the%20SID-History%20attribute%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ESID%20History%20is%20an%20attribute%20that%20supports%20migration%20scenarios.%20Every%20user%20account%20has%20an%20associated%20Security%20Identifier%20(SID)%20which%20is%20used%20to%20track%20the%20security%20principal%20and%20the%20access%20the%20account%20has%20when%20connecting%20to%20resources.%20SID%20History%20enables%20access%20for%20another%20account%20to%20effectively%20be%20cloned%20to%20another%20and%20is%20extremely%20useful%20to%20ensure%20users%20retain%20access%20when%20moved%20(migrated)%20from%20one%20domain%20to%20another.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20risk%20does%20unsecure%20SID%20History%20attribute%20pose%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EOrganizations%20that%20fail%20to%20secure%20their%20account%20attributes%20leave%20the%20door%20unlocked%20for%20malicious%20actors.%3C%2FP%3E%0A%3CP%3EMalicious%20actors%2C%20much%20like%20thieves%2C%20often%20look%20for%20the%20easiest%20and%20quietest%20way%20into%20any%20environment.%20Accounts%20configured%20with%20an%20unsecure%20SID%20History%20attribute%20are%20windows%20of%20opportunities%20for%20attackers%20and%20can%20expose%20risks.%3C%2FP%3E%0A%3CP%3EFor%20example%2C%20a%20non-sensitive%20account%20in%20a%20domain%20can%20contain%20the%20Enterprise%20Admin%20SID%20in%20its%20SID%20History%20from%20another%20domain%20in%20the%20Active%20Directory%20forest%2C%20thus%20%E2%80%9Celevating%E2%80%9D%20access%20for%20the%20user%20account%20to%20effective%20Admin%20in%20all%20domains%20in%20the%20forest.%20Also%2C%20if%20you%20have%20a%20forest%20trust%20without%20SID%20Filtering%20enabled%20(also%20called%20Quarantine)%2C%20it%E2%80%99s%20possible%20to%20inject%20a%20SID%20from%20another%20forest%20and%20it%20will%20be%20added%20to%20the%20user%20token%20when%20authenticated%20and%20used%20for%20elevated%20access.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20use%20this%20security%20assessment%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EUse%20the%20report%20table%20to%20discover%20which%20of%20your%20accounts%20have%20an%20unsecure%20SID%20History%20attribute.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SID2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194243iE36D805BFE9F0128%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22SID2.png%22%20alt%3D%22SID2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3ETake%20appropriate%20action%20to%20remove%20SID%20History%20attribute%20from%20the%20accounts%20using%20PowerShell%20using%20the%20following%20command%3A%3C%2FLI%3E%0A%3COL%3E%0A%3CLI%3EIdentify%20the%20SID%20in%20the%20SIDHistory%20attribute%20on%20the%20account.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FUL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3EGet-ADUser%20-Identity%20%3CACCOUNT%3E%20-Properties%20SIDHistory%20%7C%20Select-Object%20-ExpandProperty%20SIDHistory%3C%2FACCOUNT%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-60px%22%3E2.%20Remove%20the%20SIDHistory%20attribute%20using%20the%20SID%20identified%20earlier.%3C%2FP%3E%0A%3CP%20class%3D%22lia-indent-padding-left-90px%22%3ESet-ADUser%20-Identity%20%3CACCOUNT%3E%20-Remove%20%40%7BSIDHistory%3D'S-1-5-21-...'%7D%3C%2FACCOUNT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhat%20is%20Microsoft%20LAPS%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMicrosoft%20LAPS%20(Local%20Administrator%20Password%20Solution)%20provide%20a%20solution%20to%20the%20issue%20of%20using%20a%20common%20local%20account%20with%20an%20identical%20password%20on%20every%20computer%20in%20a%20domain.%20LAPS%20resolve%20this%20issue%20by%20setting%20a%20different%2C%20rotated%20random%20password%20for%20the%20common%20local%20administrator%20account%20on%20every%20computer%20in%20the%20domain.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWhy%20should%20I%20use%20Microsoft%20LAPS%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ELAPS%20simplify%20password%20management%20while%20helping%20customers%20implement%20additional%20recommended%20defenses%20against%20cyberattacks.%20In%20particular%2C%20the%20solution%20mitigates%20the%20risk%20of%20lateral%20escalation%20that%20results%20when%20customers%20use%20the%20same%20administrative%20local%20account%20and%20password%20combination%20on%20their%20computers.%20LAPS%20store%20the%20password%20for%20each%20computer%E2%80%99s%20local%20administrator%20account%20in%20Active%20directory%2C%20secured%20in%20a%20confidential%20attribute%20in%20the%20computer%E2%80%99s%20corresponding%20AD%20object.%20The%20computer%20can%20update%20its%20own%20password%20data%20in%20Active%20directory%2C%20and%20domain%20administrators%20can%20grant%20read%20access%20to%20authorized%20users%20or%20groups%2C%20such%20as%20workstation%20helpdesk%20administrators.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EHow%20do%20I%20use%20this%20security%20assessment%3F%3C%2FSTRONG%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EUse%20the%20report%20table%20to%20discover%20which%20of%20your%20domains%20have%20some%20(or%20all)%20compatible%20windows%20devices%20that%20are%20not%20protected%20by%20LAPS%2C%20or%20that%20have%20not%20had%20their%20LAPS%20managed%20password%20changed%20in%20the%20last%2060%20days.%3C%2FLI%3E%0A%3CLI%3EFor%20domains%20that%20are%20partially%20protected%2C%20select%20the%20relevant%20row%20to%20view%20the%20list%20of%20devices%20not%20protected%20by%20LAPS%20in%20that%20domain.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%20class%3D%22lia-indent-padding-left-30px%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22LAPS1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194231i05D0A0B57ABDA63F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22LAPS1.png%22%20alt%3D%22LAPS1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%20start%3D%223%22%3E%0A%3CLI%3ETake%20appropriate%20action%20on%20those%20devices%20by%20downloading%2C%20installing%2C%20and%20configuring%20or%20troubleshooting%20Microsoft%20LAPS%20using%20the%20documentation%20provided%20in%20the%20-ERR%3AREF-NOT-FOUND-LAPS%20download.%3CDIV%20id%3D%22lia-teaserTinyMceEditorOr%20Tsemah_2%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22LAPS2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194232i0DA8447D7BCC6CE8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22LAPS2.png%22%20alt%3D%22LAPS2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20find%20these%20new%20assessments%20under%20the%20Identity%20Security%20Posture%20in%20the%20Cloud%20App%20Security%20portal%20(-ERR%3AREF-NOT-FOUND-Azure%20ATP%20integration%26nbsp%3Bmust%20be%20enabled).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20would%20love%20to%20get%20your%20insights!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1415886%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%20security%20posture%20assessments%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Microsoft

We are happy to announce two new Azure ATP identity security posture assessments for unsecure SID-History attributes and Microsoft LAPS usage.

 

What is the SID-History attribute?

SID History is an attribute that supports migration scenarios. Every user account has an associated Security Identifier (SID) which is used to track the security principal and the access the account has when connecting to resources. SID History enables access for another account to effectively be cloned to another and is extremely useful to ensure users retain access when moved (migrated) from one domain to another. 

 

What risk does unsecure SID History attribute pose?

Organizations that fail to secure their account attributes leave the door unlocked for malicious actors.

Malicious actors, much like thieves, often look for the easiest and quietest way into any environment. Accounts configured with an unsecure SID History attribute are windows of opportunities for attackers and can expose risks.

For example, a non-sensitive account in a domain can contain the Enterprise Admin SID in its SID History from another domain in the Active Directory forest, thus “elevating” access for the user account to effective Admin in all domains in the forest. Also, if you have a forest trust without SID Filtering enabled (also called Quarantine), it’s possible to inject a SID from another forest and it will be added to the user token when authenticated and used for elevated access.

How do I use this security assessment?

  1. Use the report table to discover which of your accounts have an unsecure SID History attribute. 

SID2.png

  • Take appropriate action to remove SID History attribute from the accounts using PowerShell using the following command:
    1. Identify the SID in the SIDHistory attribute on the account.

Get-ADUser -Identity <account> -Properties SIDHistory | Select-Object -ExpandProperty SIDHistory

2. Remove the SIDHistory attribute using the SID identified earlier.

Set-ADUser -Identity <account> -Remove @{SIDHistory='S-1-5-21-...'}

 

 

What is Microsoft LAPS?

Microsoft LAPS (Local Administrator Password Solution) provide a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolve this issue by setting a different, rotated random password for the common local administrator account on every computer in the domain.

 

Why should I use Microsoft LAPS?

LAPS simplify password management while helping customers implement additional recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS store the password for each computer’s local administrator account in Active directory, secured in a confidential attribute in the computer’s corresponding AD object. The computer can update its own password data in Active directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

 

How do I use this security assessment?

  1. Use the report table to discover which of your domains have some (or all) compatible windows devices that are not protected by LAPS, or that have not had their LAPS managed password changed in the last 60 days.
  2. For domains that are partially protected, select the relevant row to view the list of devices not protected by LAPS in that domain. 

LAPS1.png

  1. Take appropriate action on those devices by downloading, installing, and configuring or troubleshooting Microsoft LAPS using the documentation provided in the LAPS download.
     

    LAPS2.png

 

You can find these new assessments under the Identity Security Posture in the Cloud App Security portal (Azure ATP integration must be enabled).

 

We would love to get your insights!

0 Replies